Android Application Assessment – Part II

July 12, 2018
Mobile pentests

Android Application Decompilation

I assume you already have application installable .apk file saved onto your local drive (If not, please refer to my last post). In simpler terms, decompilation is the method to view application files. Steps for application decompilation are:

  • Rename your application file from .apk to .zip or .rar
  • Extract the zipped file to view application files

Files of interest are:

  • AndroidManifest.xml - Contains application permission, configuration settings, filters, service settings. Look for application permission or any external service call. More information can be found here.
  • Classes.dex – Contains application source code i.e. class files, java files, xml files, etc. Look for business logic implementation, encryption/decryption logic, hard-coded credentials, test data.

There are high chances of AndroidManifest.xml file being encoded, so you need to decode it using a third party tool before you can actually view it. Download AXMLPrinter2.jar utility from here. Below are the steps to decode AndroidManifest.xml file:

You should now be able to view your application AndroidManifest.xml in cleartext.
Another method to inspect AndroidManifest.xml file is to download and install Manifest Explorerapplication on to your android device as shown:

The next step is to decompile the classes.d
ex file. This is the most important file to inspect from security point of view. Here’s how you can decompile it:

  • Download a third party tool named dex2jar from here
  • Below is the command to convert dex file to jar:
  • Locate the created jar file and rename it to rar or zip
  • Extract the zipped file and view class files using your favourite java decompiler

Database Inspection

The objective of this test is to look for sensitive information stored in application database. There are high chances of getting the user credentials in cleartext or sensitive information  like user financial details, SSN numbers, etc. Android stores all application-related files under /data/data folder. You can access those files from adb.exe using the below commands:

adb devices – List of connected devices will be shown
adb shell
su
cd /data/data/
ls
Look for your application folder
cd com.android.applicationname
ls

Application database files will be stored in databases folder. To view database file, we need to use sqllite3 utility which comes along with SDK toolkit. Here’s how you can view them:

sqllite3 /data/data/com.android.applicationname/databases/databasename
.table – List all database tables
select * from user_id;

I will cover more application specific attacks and tool list which are essential from pentest perspective in my next post.

Happy Reading!!!

Share this post
Wordpress Security
Malware Analysis
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

Latest updates in cybersecurity services

View All
Blacklock Blog Image
Wordpress CMS Security
Managing Wordpress and Joomla Security
June 9, 2016
Wordpress CMS Security
Pentests
Data Validation Framework – HDIV at a Glance
July 12, 2013
Pentests
Tools & Techniques
Automating NMAP Capabilities
August 8, 2014
Tools & Techniques